Association of Credit Union Senior Officers - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

Association of Credit Union Senior Officers

Description:

Ninety four percent say they are willing to accept extra online security controls. ... The hyperlink text is for the real Citibank but after the user clicks the link ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 59
Provided by: stewartm7
Category:

less

Transcript and Presenter's Notes

Title: Association of Credit Union Senior Officers


1
Association of Credit Union Senior Officers
  • Weaving the Web
  • Combating Internet Fraud
  • ACUSO Annual Meeting
  • November 17,2005

2
Association of Credit Union Senior Officers
  • Review Discuss
  • Recent FFIEC guidelines.
  • Types of authentication available today.
  • Types of threats out on the Internet.
  • What is being done to combat Internet threats.
  • What the credit union can do to protect your
    website and related Internet products.
  • What the credit union can do to educate your
    members.

3
Association of Credit Union Senior Officers
  • Online ID theft statistics
  • Perhaps the best known form of online theft is
    "phishing." There were 13,776 distinct phishing
    attacks in August, 2005 according to the
    Anti-Phishing Working Group.
  • An October survey commissioned by the Internet
    Security company Entrust found that 18 percent of
    Americans who have banked online now do so less,
    or not at all, because of security concerns.
  • Mixed feelings on implementing extra online
    security (two surveys)
  • Ninety four percent say they are willing to
    accept extra online security controls.
  • Eighty one percent complained about security,
    passwords, etc.
  • Survey stated eighty three percent do not want to
    pay for additional security controls.

4
Association of Credit Union Senior Officers
  • The FFIEC issued a report on Oct. 12, 2005
  • Declaring single-factor authentication such as
    passwords inadequate to secure transactions that
    involve customer information or the transfer of
    funds to or from an account.
  • The report encourages financial institutions to
    adopt "enhanced authentication methods" that can
    identify customers online by the end of next
    year.
  • The guidelines leave it up to the institutions to
    choose the kind of authentication technology
    recommending the risk assessment process be
    followed.

5
Association of Credit Union Senior Officers
  • Authentication Methods

6
Association of Credit Union Senior Officers
  • First type of authentication - Something a person
    knows.
  • PIN or password
  • Watermarks
  • Secret question
  • If the user types in the correct PIN, selects the
    correct image or answers the secret question
    correctly, access is granted!
  • Recent statistics show most people have an
    average of 17 passwords!

7
Association of Credit Union Senior Officers
  • Second type of authentication - Something a
    person has.
  • A self-contained devices that must be physically
    connected to a computer.
  • This option increases the credit union or members
    hardware cost as it requires a reader of some
    kind on the member PC or laptop.
  • A device that has a small screen where a one-time
    password (OTP) is displayed. The user must then
    enter it to be authenticated.
  • Typically the OTP will change every 30 60
    seconds and needs to be replaced every four-five
    years.

8
Association of Credit Union Senior Officers
  • Third type of authentication Something a person
    is.
  • Fingerprint
  • Voice Pattern
  • Hand geometry
  • Retinal scan
  • This type of authentication is referred to as
    biometrics.
  • Requires installation of specific hardware.

9
Association of Credit Union Senior Officers
  • Biometric Digest Highlights Fingerprint Readers
  • Affordability Devices are down to 50 or less.
  • Convenience Some password readers feature USB
    plug and play and allow for user switching,
    which makes it more convenient for multiple
    registered users on an XP computer.
  • Security
  • Solution should use leading edge technology
    biometric fingerprints sensors from companies
    that can enroll multiple fingerprints.
  • Look for devices that include software with the
    ability to encrypt and decrypt files using the
    enrolled fingers, keeping files safe from
    unauthorized users.

10
Association of Credit Union Senior Officers
  • Phishing Scams

11
Association of Credit Union Senior Officers
  • Phishing Also known as carding and spoofing .
  • A form of social engineering, characterized by
    the attempts to fraudulently acquire sensitive
    information, such as passwords and account
    information via electronic communication such as
    email or instant message.

12
Association of Credit Union Senior Officers
  • Phishing Also known as carding and spoofing.
  • While the first attempts were sent
    indiscriminately in the hope of finding a
    customer of a given financial institution or
    service.
  • Recent research has shown that phishers may in
    principle be able to establish what institution a
    potential victim has a relationship with, and
    then send an appropriate spoofed email to this
    victim. Such targeted versions are being called
    Spear Fishing.

13
Association of Credit Union Senior Officers
  • Presently, the standard means to verify a site is
    secured are
  • Is the site displaying a security seal such as
    Verisign Secured?
  • Is there a padlock in the lower right-hand corner
    of your Web browser?
  • Indicates a Secure Sockets Layer (SSL) is in
    place.
  • https//

14
Association of Credit Union Senior Officers
  • Phishing CITI - Report October 24, 2005
  • Email Subject Line CitiBank Bank Security
    Management Team update
  • Description The message received by the user is
    not well-written, but the rest of the scheme
    makes up for it.
  • The hyperlink text is for the real Citibank but
    after the user clicks the link in the e-mail the
    URL in the address bar is https//citibusinessonli
    ne.da-us.cytigroup.com/cbusol/signon.do.
  • There is a lock icon on the bottom of the browser
    window.

15
Association of Credit Union Senior Officers
  • Phishing CITI - Report October 24, 2005
  • In short, the phisher was able to obtain a valid
    SSL (https) certificate to use as part of their
    scam.
  • If you click the "Verisign Secured" graphic in
    the web page it displays a Verisign web page that
    clearly says that citibusinessonline.da-us.citiban
    k.com (not cytigroup.com) is a Verisign Secured
    site. But it's still the sort of difference that
    few people will notice.
  • The remaining screens in the phishing attack
    collect and harvest information.

16
Association of Credit Union Senior Officers
  • Phishing CITI - Report October 24, 2005
  • This example proves conclusively that following
    links in unsolicited e-mails is unadvisable.
  • Even the normal HTTPS facilities, valuable as
    they may be, are not proof that a site is what
    you think it is.
  • If you need to access one of your financial
    accounts, log into it through your normal
    bookmarks or by typing the URL.

17
Association of Credit Union Senior Officers
  • Popular Method of Phishing Cross Site Scripting
    and Open Redirect URLs
  • Fraudsters detect and exploit opportunities to
    run their frauds on the financial institutions
    own sites.
  • Taking advantage of mistakes in applications and
    web site management, fraudsters have been able to
    run phishing scams on sites belonging to Visa,
    MasterCard, SunTrust, Charter One, and Citizens
    Bank.

18
Association of Credit Union Senior Officers
  • Popular Method of Phishing Cross Site Scripting
    and Open Redirect URLs
  • Typically this has been achieved through use of
    cross site scripting and redirection URLs present
    on financial institutions sites.
  • Open redirects found on financial web sites are
    liable to be exploited by fraudsters to create a
    link to their site via the open redirect on the
    credit unions web site. This makes the link look
    genuine, as it will appear to point to a page on
    the credit unions web site and is particularly
    plausible if the credit unions site is served
    using SSL, as the credit unions SSL certificate
    will be used.
  • When a user clicks on the link, they may be
    unaware that they have been redirected to the
    phishing site.

19
Association of Credit Union Senior Officers
  • Popular Method of Phishing Example of an ecard
    scam that is trickier than most phishing.
  • The ecard looks like it comes from Hallmark and
    asks you to download an attachment to pick up
    your ecard. However, the attachment isn't really
    an ecard -- it's a Trojan.
  • This particular Trojan then waits for you to sign
    onto AOL. If and when you do, it displays a
    pop-up window that looks like an AOL form, but
    asks you to verify/update your AOL billing info
    by providing your credit card, checking account
    info, and Social Security number.

20
Association of Credit Union Senior Officers
  • Fair Credit Report Act FREE Credit Report Scams
  • An amendment to the Fair Credit Reporting Act
    requires each of the nationwide consumer
    reporting companies to provide consumers with a
    free copy of their credit report upon their
    request, once every 12 months.
  • The three companies have set up one central
    website, toll-free telephone number, and mailing
    address through which a person can order a free
    credit report.

21
Association of Credit Union Senior Officers
  • Fair Credit Report Act FREE Credit Report
    Scams
  • The Federal Trade Commission (FTC), the nations
    consumer protection agency, wants you to know
    that, if you want to order your free annual
    credit report online, there is only one
    authorized website annualcreditreport.com.
  • To Order Your Free Annual Credit Report
  • Visit annualcreditreport.com
  • Call toll-free 1-877-322-8228
  • Mail your completed Annual Credit Report Request
    Form toAnnual Credit Report Request
    ServiceP.O. Box 105281Atlanta, GA 30348-5281

22
Association of Credit Union Senior Officers
  • Fair Credit Report Act FREE Credit Report
    Scams
  • These sites often look like the official site at
    annualcreditreport.com.
  • Some use terms like free report in their names
    others have website names that purposely misspell
    annualcreditreport.com in the hope that you will
    mistype the name of the official site.
  • Some of these imposter sites direct you to
    other sites that try to sell you something or
    collect your personal information.
  • To learn about spam or report an occurrence visit
    www.ftc.gov/spam

23
  • MALWARE

24
Association of Credit Union Senior Officers
  • Malware
  • Malware is a type of software designed to take
    over and or damage a computer user's operating
    system, without his or her knowledge or approval.
  • Once installed, it is often very difficult to
    remove, and depending on the severity of the
    program installed, its handiwork can range in
    degree from the slightly annoying (such as
    unwanted pop up ads while a user is performing
    regular computing tasks on or offline), to
    irreparable damage requiring the reformatting of
    one's hard drive, since much of malware is poorly
    written.

25
Association of Credit Union Senior Officers
  • Examples of Malware Backdoor
  • A backdoor is a piece of software that allows
    access to the computer system bypassing the
    normal authentication procedures. Based on how
    they work and spread, there are two groups of
    backdoors.
  • The first group works much like a Trojan, i.e.,
    they are manually inserted into another piece of
    software, executed via their host software and
    spread by the host software being installed.
  • The second group works more like a worm as they
    get executed as part of the boot process.

26
Association of Credit Union Senior Officers
  • Examples of Malware Dialer
  • A dialer is a program that either replaces the
    phone number in a modem's dial-up connection with
    a long-distance number, often out of the country,
    in order to run up phone charges on pay-per-dial
    numbers, or dials out at night to send keylogger
    or other information to a hacker.

27
Association of Credit Union Senior Officers
  • Examples of Malware Keylogger
  • A keylogger is software that copies a computer
    user's keystrokes to a file, which it may send to
    a hacker at a later time.
  • Often the keylogger will only "awaken" when a
    computer user connects to a secure website, such
    as a bank. It then logs the keystrokes, which may
    include account numbers, PIN's and passwords,
    before they are encrypted by the secure website.

28
Association of Credit Union Senior Officers
  • Examples of Malware Browser Hijacker
  • A browser hijacker is any program designed to
    alter a computer user's browser settings.
  • These changes can sometimes come in the form of
    new web sites added to the user's bookmarks the
    replacement of his or her home page to one set by
    the author or, in the worst case scenario, the
    browser actually being redirected to various URLs
    of the author's choosing when certain addresses
    are typed or found in a search engine results
    page.

29
Association of Credit Union Senior Officers
  • PHARMING

30
Association of Credit Union Senior Officers
  • Pharming
  • Pharming is the exploitation of a vulnerability
    in the DNS server software that allows a cracker
    to acquire the Domain name for a site, and to
    redirect that website's traffic to another web
    site.
  • DNS servers are the machines responsible for
    resolving internet names into their real
    addresses the "signposts" of the internet.

31
Association of Credit Union Senior Officers
  • Pharming
  • The domain name server acts as a "phone book" to
    associate the domain name of a website with its
    IP Address ("resolving the domain name").
  • If the web site receiving the traffic is a fake
    web site, such as a copy of a bank's website, it
    can be used to "phish" or steal a computer user's
    passwords, PIN number or account number. is
    ignoring warnings about invalid server
    certificates.

32
Association of Credit Union Senior Officers
  • Web site Page Hijacking
  • A Linux web server running Apache and Open_SSL in
    the summer of 2004, it was patched only up to
    about 2000 levels.  The web server was hosting
    several websites, including the webpage of our
    client (a Credit Union). 
  • One night, the website was defaced, and the page
    put up in its place proclaimed an end to Israeli
    terrorism and a desire for Palestinians to have
    their own country.

33
Association of Credit Union Senior Officers
  • Through subsequent research on the group that
    claimed responsibility for the defacing it was
    learned that
  • The website was defaced by a worm that exploits a
    known vulnerability in open source software.
  • The software that was exploited is often included
    in a standard Linux server running Apache.
  • The website would not have been defaced if basic
    patch management practices were followed.

34
  • WHAT IS BEING DONE
  • TO COMBAT THE THREATS?

35
Association of Credit Union Senior Officers
  • Single Sign On and a Federated System
  • Federated Identity or Identity Federation is a
    new approach to extending the reach of existing
    single sign-on systems through a secure exchange
    of user data among cooperating organizations,
    whether within a company or between companies.
  • Federation enables a seamless experience for the
    user across multiple services, gives companies
    better control over their user identities, and
    enhances security by reducing the number of
    places where the same user needs to be managed.
  • Single sign will still include at least two
    factor authentication.

36
Association of Credit Union Senior Officers
  • VENDORS IN THE NEWS

37
Association of Credit Union Senior Officers
  • Some Links to consider upon further research
  • RUTHERFORD, N.J. (9/27/05)--Credit Unions'
    Virtual Assistant (CUVA) and Green Armor
    Solutions are coming together to provide credit
    unions with an anti-phishing system.
  • Identity Cues combines technology and psychology
    to combat phishing, pharming and other forms of
    online fraud (Business Wire Sept. 21).
  • "Identity Cues makes it obvious to users whether
    they are using a credit union's legitimate
    website or a phony website set up to enable
    fraud. It also integrates with online banking
    applications and does not interfere with the
    online banking process.

38
Association of Credit Union Senior Officers
  • Some Links to consider upon further research
  • According to Green Armor, Identity Cues uses
    easily recognizable visual cues (such as colored
    letters) during every login for users to quickly,
    and even subconsciously, recognize if the site is
    genuine.
  • Cues are displayed as users type their usernames
    and passwords. They vary between users but are
    identical on each login for any particular user.

39
Association of Credit Union Senior Officers
  • Vendors in News - CYOTA
  • In March, a Pennsylvania Credit Union started
    rolling out a two-factor authentication
    technology from Cyota Inc. that analyzes and
    scores risks on individual online banking
    transactions. The scoring is based on criteria
    such as the end user's computer, IP address,
    geographic location and transaction history.
  • Users trying to conduct online banking
    transactions that the system flags as being high
    risk are authenticated via telephone calls or a
    challenge-and-response process.

40
Association of Credit Union Senior Officers
  • Vendors in News - CYOTA
  • The cost of implementing PassMark's technology
    for a bank with 50,000 online users is 1 per
    user annually, said Steve Klebe, a vice president
    at the Redwood City, Calif.-based vendor.
  • For larger banks, the yearly per-user cost can be
    less than the price of a single postage stamp, he
    added. Cyota's technology also costs less than 1
    per user annually, according to the New
    York-based company.
  • In contrast, token-based authentication can
    easily cost up to 10 per user each year. Its
    cost and complexity tends to limit the use of
    tokens to high-value transactions or internal
    applications.

41
Association of Credit Union Senior Officers
  • Vendors in News Digital Insight
  • The Digital Insight, a provider of outsourced
    Internet banking services, plans to soon start
    offering multifactor authentication capabilities
    based on technology from TriCipher Inc. in San
    Mateo, Calif.
  • TriCipher lets consumers use their computers as
    an authentication credential when conducting
    online transactions or store portions of their
    credentials on personal devices such as MP3
    players.

42
Association of Credit Union Senior Officers
  • Vendors in News L9.com
  • Safe2Login acts as a third-party trust authority
    employing mutual authentication technologies a
    multifactor positive authentication process
    coupled with the ability to authenticate the
    banking server to the customer.
  • According to Safe2Login The recent NCUA and FFIEC
    Agencies guidance mandates a need to reliably
    authenticate customers and provide defense
    against Phishing and Pharming by verifying that
    the customer is in fact communicating with the
    correct banking server, not a spoofed site.
  • Mutual Authentication is the methodology required
    to meet these goals.

43
Association of Credit Union Senior Officers
  • Vendors in News L9.com
  • L9.coms Safe2Login authentication solution was
    the recipient of the 2005 CUNA Technology Council
    Future Forum Best of Show" award.
  • Mutual Authentication is a process whereby
    customer identity is authenticated and the target
    Web site is authenticated to the customer.
  • Currently, most credit unions do not authenticate
    their Web sites to the customer before collecting
    sensitive information. Credit Unions can aid
    customers in differentiating legitimate sites
    from spoofed sites by authenticating their Web
    site to the customer.

44
Association of Credit Union Senior Officers
  • Vendors in News L9.com
  • Safe2Logins customer verification process is
    classified as a layered Positive Verification
    process where Safe2Login, acting as a trusted
    third-party, ensures that material information
    provided by an applicant during login matches the
    information supplied during the secure
    registration process.
  • The Safe2Login multifactor authentication process
    requires that users know several pieces of
    information they supply to the system in a way
    that defeats "keyloggers."
  • This provides the Credit Union with an increased
    level of confidence that the customer is who they
    say they are.

45
Association of Credit Union Senior Officers
  • Vendors in News - Netcraft
  • Netcraft can perform an automatic search of a
    customers web sites to scan for possible
    redirection URLs in use, on a daily basis,
    thereby promptly trapping redirects introduced by
    inadvertent web design and application
    development.
  • www.netcraft.com

46
Association of Credit Union Senior Officers
  • HOW TO PROTECT YOUR WEB SITE

47
Association of Credit Union Senior Officers
  • Protect your web site
  • Purchase and maintain all domain names that
    resemble the credit unions web site address.
  • Ensure domain names are registered to the credit
    union CEO.
  • Review both Admin and Technical contact
  • Secure User ID and password.

48
Association of Credit Union Senior Officers
  • Protect your web site
  • Periodically change password and verify account
    information to ensure current.
  • Ensure a documented procedure is in place for
    this to occur. Do not leave it up to one
    employee.
  • Change all password information upon employee
    termination or absence.

49
Association of Credit Union Senior Officers
  • Protect your web site
  • Review web site daily to ensure pages have not
    been compromised.
  • Do not give web host provider or designers
    permission to make any changes to Domain records
    for contact or DNS information.
  • Remove all detailed contact information from web
    site.

50
Association of Credit Union Senior Officers
  • Protect your web site
  • Ensure web site and other on-line service
    providers perform security patches as threats are
    identified.
  • Review security reports and incidents from web
    host company and all other on-line services
    providers.
  • Contract a third party to perform remote
    vulnerability assessments if they are not
    periodically performed by the service provider.
  • Make sure objective third party performs RVAs.

51
Association of Credit Union Senior Officers
  • Protect your web site
  • Ensure multiple employees or groups are receiving
    alerts on latest Internet security threats.
  • Ensure you have identified all vendors involved
    in your Internet services.
  • Follow risk assessment process including the
    collection, retention and disposal of membership
    information.

52
Association of Credit Union Senior Officers
  • HOW TO EDUCATE YOUR MEMBERS

53
Association of Credit Union Senior Officers
  • Educate your members
  • Provide written guidance upon entering web site.
  • Fraud prevention link to correct Free Credit
    Report.
  • Link to latest threats.
  • Advise them to not work with their accounts on
    shared computers. Stay away from library and
    other public connections.
  • Change passwords frequently.
  • Consider implementing a maintenance/security
    board to notify your members of any threats,
    periodic maintenance, etc.
  • Consider a hot-line.

54
Association of Credit Union Senior Officers
  • Educate your members
  • Provide members guidance for reporting Internet
    Identity theft.
  • The Internet Fraud Complaint Center (IFCC) is a
    partnership between the Federal Bureau of
    Investigation (FBI) and the National White Collar
    Crime Center (NW3C).
  • IFCC's mission is to address fraud committed over
    the Internet. For victims of Internet fraud, IFCC
    provides a convenient and easy-to-use reporting
    mechanism that alerts authorities of a suspected
    criminal or civil violation.
  • www.ifccfbi.gov/index.asp

55
Association of Credit Union Senior Officers
  • Educate your members
  • Provide members guidance for learning about and
    reporting SPAM.
  • This website has information about the Federal
    Trade Commission's recent law enforcement actions
    against deceptive commercial email and spammers'
    responsibilities under the CAN-SPAM law.
  • In the "For Consumers" section, you'll find tips
    on how to reduce the amount of spam email in your
    in-box.
  • www.ftc.gov/spam

56
Association of Credit Union Senior Officers
  • Other Helpful Websites
  • Federal Computer Incident Response Center (Fed
    CIRC) _at_
  • http//www.fedcirc.gov
  • Federal Financial Institution Examination Council
    _at_ http//www.ffiec.gov/ffiecinfobase/index.html
  • US Computer Emergency Readiness Team (US-CERT) _at_
    http//www.us-cert.gov

57
  • Thank You!

58
Association of Credit Union Senior Officers
  • Buckley Technology Group
  • Kristina Buckley, President
  • kmb_at_buckleytechgroup.com
  • www.buckleytechgroup.com
  • 781.829.9934
  • 130 Till Rock Lane, Norwell, MA. 02061
  • Preferred Information Security Business Partner
  • Netivity Solutions
  • www.netivitysolutions.com
  • Skip Tappen
  • Vice President and General Manager
  • Netivity Solutions
  • 271 Waverley Oaks Road
  • Waltham, MA 02452
  • 781-472-3466
Write a Comment
User Comments (0)
About PowerShow.com